SHELLSHOCK!

I just thought I would drop this stock email for you all to use to splain to your execs the problem of SHELLSHOCK and that it is IMPORTANT! I tried to wordsmith for the exec set in here and the links go right to pertinent blog posts and the CVE from NIST. Just a heads up I just saw that F5 BIG-IP is also in fact vulnerable to this attack so WHEEEEE!

Smoke em if you got em…

K.

UPDATE: Looks like SUID attack may be possible too…

Email Text:

All,

There’s a new vulnerability that affects nearly every system out there using BASH shell on the internet. This means that any Linux/UNIX system that is at the moment, internet facing is potentially vulnerable to being exploited by someone using commands inserted and sent to servers via CGI scripting or html for example. There is already a module in metasploit on this but you can check your versioning and if it is vulnerable with the following command in bash shell. This is an important vulnerability that could lead to larger compromise of our environment!

The short answer here about this vuln is that if you are vulnerable an attacker can use random code to have your system spit out data that you don’t want available such as etc password files etc.

Needless to say this is of a HIGH importance and rates a 10 on the NIST scale!

How to test for this vulnerability:

REMEDIATIONS:

There’s a new vulnerability that affects nearly every system out there using BASH shell on the internet. This means that any Linux/UNIX system that is at the moment, internet facing is potentially vulnerable to being exploited by someone using commands inserted and sent to servers via CGI scripting. There is already a module in metasploit on this but you can check your versioning and if it is vulnerable with the following command in bash shell. ~Troy Hunt

Another concern here is this.. Other appliances that are at risk;

The bigger worry is the devices with no easy patching path, for example your router. Short of checking in with the manufacturer’s website for updated firmware, this is going to be a really hard nut to crack. Often routers provided by ISPs are locked down so that consumers aren’t randomly changing either config or firmware and there’s not always a remote upgrade path they can trigger either. Combine that with the massive array of devices and ages that are out there and this could be particularly tricky. Of course it’s also not the sort of thing your average consumer is going to be comfortable doing themselves either. ~Troy Hunt

Another option is to remove BASH and replace it with something else;

“Other more drastic options include replacing Bash with an alternate shell implementation or cordoning off at-risk systems, both of which could have far-reaching ramifications and are unlikely to be decisions taken lightly. But that’s probably going to be the nature of this bug for many people – hard decisions that could have tangible business impact in order to avoid potentially much more significant ramifications.” ~Troy Hunt

DETECTION OF COMPROMISE:

Basically there is no means to do so effectively unless perhaps you are capturing all packets…

This can be hard to determine if there’s no logging of the attack vectors (there often won’t be if it’s passed by HTTP request header or POST body), but it’s more likely to be caught than with Heartbleed when short of full on pcaps, the heartbeat payloads would not normally have been logged anywhere. ~Troy Hunt

The real problem here is that this exploit set is still being worked out because it’s kinda modular. What I mean is that if you can get random code to work then you can place exploit code in there and get 0day to complete the job. So this is an evolving threat and MUST be taken seriously. Mitigation strategies should be worked out in the environment and all due diligence should be followed on keeping up with the intelligence on this vulnerability and what is being seen in the wild.